Method and device for checking an error control procedure of a circuit

ABSTRACT

A method for checking an error control unit in a circuit, wherein the error control unit generates an error signal, when operating properly, if the digital circuit is in an error state. The method includes the following steps: invoking the state indicating the error, monitoring the error signal, and generating an alarm signal when the error signal does not appear or appears incorrectly. A device for checking an error control unit of a circuit, wherein the error control unit generates an error signal when it is operating properly if the circuit is in or outputs a state indicating an error, has a device for inducing the state indicating the error, and a device for monitoring the error signal and generating an alarm signal when the error signal does not appear or appears incorrectly after the state indicating the error was induced.

TECHNICAL FIELD

The present invention discloses a method and device for checking anerror control unit in a circuit.

BACKGROUND OF THE INVENTION

In many digital circuits it is highly important that theirserviceability can be checked reliably. The operational reliability ofsuch digital circuits, for example, must be acknowledged definitely whenthey are applied in safety-related circuits; for example, in theconstruction of automobiles. For this reason, digital circuitsfrequently include error control units that observe the performance ofthe digital circuits and generate an error signal when a stateindicating an error occurs. Thus, for example, it can be determinedwhether redundant components run synchronously, and an error signalwould be generated if the data in the redundant components were not thesame. In the same way, signals can be picked up at individual points inthe circuit and queried about non-permissible states or similarconditions. The error control also can monitor signals oninterconnecting cables, e.g. on a system bus, and generate an errorsignal when a state indicating an error occurs.

A process for automatically controlling the execution of a sequence oforders in a microprocessor is described in the journal Electronique,issue no. 24, January 1993, pp. 53-59. In this process the time periodfor executing a sequence of orders is specified and compared to a presetreference time. An external circuit WD which receives a pulse for thereset is provided for defining the time period for executing thesequence of orders. If the time needed for carrying out the orders istoo long or too short, if the reset pulse is generated not at all, tooearly or too late, then the executing time will deviate from thereference time and the occurrence of an error can be indicatedimmediately. In addition, a test routine is described for this process,by means of which the operational reliability of the circuits can bechecked. For this purpose, software is applied to suppress reset pulsesto the circuit WD, causing the duration of the program run to beextended in a non-permissible way. Then it is checked whether an errorcan be detected. In order to ensure that this “intentional” error is notinterpreted as an actual error from outside, the method provides, on theone hand, for a reset pulse to be emitted again and, on the other hand,for a filtering process to be carried out with the aid of a filteringdevice, so that an error signal is generated only on the basis of anerror that is recognized as a relevant error.

Since errors occur relatively seldom in digital circuits, correspondingerror control units become active comparatively seldom. Hence, it cannotbe proven definitively whether the error control unit is workingproperly.

SUMMARY OF THE INVENTION

The object of the present invention is a method and device for checkingan error control unit, wherein these have a simple design and can detectdifferent error conditions.

Before individual embodiments of the invention are described on thebasis of the drawings, the terminology used in this application will beexplained so as to avoid any misunderstandings. The above-mentionedsafety-related circuit whose operational reliability is to be checked isreferred to as “circuit” or “digital circuit”. When it does not workproperly, this is referred to as an “error”. The circuit is monitored byan “error control (unit)”. When an error occurs, the error control unitemits an “error signal”. According to the present invention, a “methodfor checking” or a “device for checking” the proper functioning of theerror signal or the error control unit generating the signal is applied.It should be noted that the monitored circuit on the one hand and theerror control unit on the other hand do not necessarily have to be setup discretely, i.e. separately; for example, they can be components of amicroprocessor and may not be distinguishable physically. The errorcontrol unit emits the above-mentioned error signal when a stateindicating an error in the circuit occurs, with the error control unitbeing checked according to the present invention. If the check of theerror control unit according to the present invention shows that theerror control unit itself is defective (since it does not emit the errorsignal at all or not correctly), the checking device according to thepresent invention or the checking method according to the presentinvention generates an “alarm signal”.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of the components provided according to thepresent invention.

FIG. 2 is an accurate diagram of the checking device according to thepresent invention.

FIG. 3 is a diagram of a pulse-forming circuit for the error signal.

FIG. 4 shows signal curves in the circuits of FIGS. 2 and 3.

FIG. 5 is a monitoring circuit.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1 shows a block diagram of individual components. 101 is thecircuit whose mode of operating is to be checked. Preferably this is adigital circuit that, for example, can communicate with other componentsvia a signal line. However, 101 can also be an analog circuit. 103 is adevice for inducing a state indicating an error. Device 103 can act oncircuit 101 or signal line 102 and induce states there that should bedetected as errors by the error control unit 104. Device 103 itself canbe a digital or analog device. It can provoke faulty operation ofcircuit 101 or it can more or less address the input of the errorcontrol unit 104. Error control unit 104 monitors whether circuit 101 isoperating properly by querying output signals and/or internal circuitpoints and checking for non-permissible states or time characteristics.For example, FIG. 1 can be a system in which 101 is a processor, 102 abus and 104 an error control unit connected to the bus.

In the same way, assemblies within one single chip are possible, too.Also the error control unit 104 can be an analog device. However,components 101 to 104 preferably are digital components.

When a state indicating an error occurs (irrespective of whether this isreal or provoked by device 103), the error control unit 104 will emit anerror signal 105 when it is working properly.

In addition a checking device 106 is provided. Together with device 103it can check the operation of the error control unit. In the processaccording to the present invention, device 103 indirectly or directlyinduces a state indicating an error. This state must be detected whenthe control unit 104 is working correctly, so that control unit 104 mustgenerate an error signal after device 103 induced the state indicatingan error. This is checked by checking device 106. If the error signal105 is generated because the state indicating an error was induced, noalarm signal 107 will be emitted. If, however, the error signal is notoutput or incorrectly output or not output at the correct time, thechecking device 106 generates alarm signal 107.

Preferably the state indicating the error is induced within a gate time,with the gate time being measured in such a way that the correctlygenerated error signal 105 also must appear during that time.

To coordinate checking device 106 and device 103 for inducing the stateindicating the error, signal lines 108 can be provided between them and,for example, to exchange a digital signal indicating the gate time. Thecomponents, however, can also be coordinated by means of circuit 101 andsignal lines 109.

It should be noted once more that the components mentioned above neednot necessarily be discrete. FIG. 1 can be understood as arepresentation of functions that may be implemented within a circuit,within a chip by means of hardware or partially also software. However,preferably the checking device 106 according to the present invention isa digital circuit, whereas circuit 101, device 103 and control unit 104can be analog circuits.

A preferred embodiment of checking device 106 that is formed by hardwareis described with reference to FIG. 2 which shows four D-flip-flops 201to 204. Three of these (201 to 203) are interconnected in a ring form insuch a way that the Q output of one flip-flop always is connected to theD input of the other flip-flop respectively. The ring-formedinterconnection is obtained by means of lines 208.

The D-flip-flops are toggle circuits that take over the digital stateapplied at the D input, for example, when a leading edge of a digitalsignal occurs at their clock input CLK. By means of preset inputs PREand clear inputs CLR, the output Q of a D-flip-flop can be set dependingon external signals, either to logical 1 or logical 0 independently ofclock input CLK.

In order to be able to carry out the check of the error signal accordingto the present invention, the flip-flops 201 to 203 interconnected in aring form are clocked by different clock signals (=inducing them to takeover the signal from the D input at the Q output) on the one hand andthey are initialized in a certain way. One of the flip-flops (201,hereinafter referred to as the first flip-flop) is clocked at thebeginning of the gate time and in particular through a suitable edge ofsignal 206 indicating the gate time. The following flip-flops (202, 203,hereinafter referred to as the second and third flip-flops) are clockedthrough a signal 207 according to the error signal 165. The gate timesignal 206 can be a digital signal that indicates the time period withinthe gate time with one state and the time period outside the gate timewith the other state. The first flip-flop 201 is activated by the gatetime signal 206 in such a way that the flip-flop 201 takes over theinput signal at the beginning of the gate time.

Error signal 105, which is to be checked by the checking device can, forexample, be a bistable signal that changes its state once for everyerror (real or provoked error) and, hence, gives rise to a leading ortrailing edge. Then an edge indicates an error. The second and thirdD-flip-flops 202, 203 are activated in such a way that they take overthe state at their D input at the Q output whenever an error occurs.When error signal 105 is the bistable signal and the D-flip-flopsrespond only to leading edges, suitable signal conditioning must ensurethat every edge (leading or trailing) of the error signal 105 results ina leading edge for triggering the clock inputs CLK of the second andthird D-flip-flops 202, 203. This, for example, can occur by means of asignal conditioning circuit according to FIG. 3. This circuit, whosefunction will be explained later, receives the actual error signal 105and generates a clock signal 207 for the D-flip-flops 202, 203.

Moreover, the embodiment according to FIG. 2 exhibits an initializationdevice 209, 210 that sets the states of the individual flip-flops in anappropriate manner at the beginning. The initialization device 209, 210consists of signals or connections that act on the preset inputs orclear inputs of the flip-flops. At the beginning the flip-flops are setin such a way that the third flip-flop 203 has the single digital state(0 or 1) at output Q3, whereas the other two flip-flops 201, 202 are setin such a way that they have the corresponding other digital state (1 or0). The fourth D-flip-flop 4, which will be described later, is set tothe same value as the third D-flip-flop 203 by the initialization device209, 210.

The embodiment according to FIG. 2 is designed in such a way that thesignal that is to be checked—error signal 105—clocks the circuit. Thecircuit is designed in such a way that—as long as error signal 105 isgenerated in the appropriate way—the state set at the beginning,according to which Q3 has a different state than Q1 and Q2, ismaintained because it is not “forgotten” due to the loop-formedstructure (D-flip-flops 202-203 and lines 208). The desired alarm signalis picked up at output Q2 of the second flip-flop 202 and/or at outputQ3 of the third flip-flop 203.

In the embodiment according to FIG. 2, output Q3 of the third flip-flop203 is applied to the D input of a fourth flip-flop 204. This fourthflip-flop 204 is clocked at the end of the gate time. Its output is EXORconnected to output Q2 of the second flip-flop. This leads to alarmsignal 107 c.

The mode of operation of the circuit in different operating states isdescribed below. On the one hand the error control unit 104 can workproperly; then an error signal is generated when a state indicating anerror occurs. On the other hand incorrect modes of operation may arisewhen no error signal is emitted or several error signals are emitted.

The latter possibility may take several forms—(i.e. additional errorsignal following the first error signal can lie within or outside thegate time). In addition, the additional error signal does notnecessarily have to be traced back to a malfunction of the error controlunit: rather it may indicate an actual (not provoked) error of circuit101.

The operation of the embodiment according to FIG. 2 is described withreference to FIGS. 4 and 2. The control procedure according to theinvention is repeated, e.g. it is executed periodically at intervalsT_(P). The circuit is initialized before the procedure is repeated. Forthis purpose, the existing flip-flops are set by a suitable pulse RES401 as described above. Subsequently, for example, a gate time withperiod T_(P) is set periodically, and this is indicated by the gate timesignal TOR 402. The gate time T_(T) is shorter than the period T_(P).The timing of the gate time (logical 0 in signal 402) is selected insuch a way that the error signal that is “provoked” by device 103 has tooccur during this time. Preferably device 103 induces the stateindicating the error at the beginning of the gate time, so that theerror signal 105 should occur shortly afterwards. Error signal 105 isshown as signal IN in FIG. 4. As described above it is a bistable signalin this embodiment, which changes once when an error occurs.

The pulse-forming circuit shown in FIG. 3 transforms the signal IN 105into signal INP 207. The signal INP 207 has a pulse 414 with a leadingand a trailing edge respectively for each edge (leading or trailing) ofsignal IN 105. Flip-flops that only respond to one of the two edges(leading or trailing) can be triggered with these. Thus, the overallpurpose of the pulse-forming circuit is to invoke clocking of theflip-flops for each error. If the error signal already is shapedcorrespondingly or the flip-flops, for example, respond to leading andtrailing edges, the pulse-forming circuit according to FIG. 3 is notneeded.

Flip-flop 1 is triggered at the beginning of the gate time. Thus, ittakes over the state at its D input. In the example shown, the outputthen jumps from 0 to 1. A little later the error signal IN 105 and thepulse signal INP 207 with pulse 414 derived therefrom occur, ittriggers/clocks flip-flops 202 and 203, so that both of them transmittheir inputs to the output. Thus, flip-flop 202 takes over the 1 stateat its output, and flip-flop 3 takes over the (previously existing) 0state at its output. Since flip-flops 202 to 204 only respond to oneedge (to the leading edge in the embodiment shown), nothing happenstowards the end of the gate time or the end of pulse 414. The durationT₁ of pulse 414 preferably is selected in such a way that it is shorterthan the gate time. When the error control unit is operating properlythe above-described steps make up a single control procedure. The resultis that the logical states of outputs Q1 to Q3 have changed. At the sametime, the state initialized at the beginning, according to whichflip-flop 3 has a different output state than flip-flop 1 and flip-flop2, is maintained. After another gate time, the conditions are reversedonce more, and the state set by the initialization is active once again.Hence, when the error control unit is working properly, the statesmentioned alternate and the alarm-free state is indicated by a signal,in which the outputs of the flip-flops, in particular of the second andthird flip-flop 202, 203, change regularly. The conditions described areshown in Part A of FIG. 4.

Part B in FIG. 4 shows a case when two error signals occur shortly afterone another. At first the circuit behaves as described above. When thesecond error signal occurs (trailing edge in signal IN in FIG. 4, B, orsecond pulse in signal INP in FIG. 4, B), however, flip-flops 202 and203 take on their respective input values at their output again. Since,however, the only different state at Q3 was not transmitted to Q1(because there was no gate time clock), the “different” state isforgotten because Q3 and Q2 both are overwritten with state 1. Thus, alloutputs Q1, Q2, and Q3 have the same logical value 1, which cannot bechanged by subsequent cycles. Hence, a constant output signal isgenerated, also after additional cycles.

A case not shown in the figures is when an error signal IN 105 fails tooccur. As a result of this the flip-flops 202, 203 are not clocked.Irrespective of what flip-flop 201 does, outputs Q2 and Q3 of flip-flops202, 203 remain at a constant state.

The fourth flip-flop 204 is provided to determine those cases when anerror signal (edge in signal IN 105 or pulse 414 in signal INP 207)occurs after the gate time has expired. After the initialization, Q4 hasthe value 1 and the EXOR gate 205 has the value 1. If the state of errorsignal IN 105 changes after the gate time has started, Q2 assumes thevalue 1 and EXOR gate 205 changes to 0. At the end of the gate time(leading edge of the gate time signal TOR 402) the fourth flip-flop 204assumes the value 0 at its output and gate 205 changes from 0 to 1.Hence the state is changed. If, however, the error signal IN 105 doesnot change during the gate time, the output state of gate 205 does notchange, so that once again there is a constant signal, indicating anunfavorable result of the checking procedure. If the error signal IN 105changes several times during the gate time, Q3 is taken over at Q4 atthe end of the gate time, so that the output of gate 205 does not changeand signal 107 c remains constant again.

If, finally, an error signal occurs after the end of the gate time (caseE in FIG. 4), Q3 once again takes over the value of Q2, without the onlydifferent output value of Q3 having been saved in Q1. Thus, the loop has“forgotten” the different shapes of the output states and once again nostate changes at outputs Q1 to Q3 are executed during the subsequentcontrol run (next gate time); consequently, a constant output signalcauses an alarm to be emitted.

The embodiment according to FIG. 2 is designed so that it comprises theerror signal 105 and alarm signal 107 in such a way that altogether onlythe alarm signal 107 is emitted. It indicates an alarm both when theerror control unit 104 is not working properly and when the errorcontrol unit 104 is working properly and determines an error in circuit101. The latter case corresponds to the cases when several error signalsoccur. In each case (both error signals within the gate time or onewithin and one outside the gate time) an alarm signal is generated. Inthe improbable case that an error signal invoked by a real error occursat the same time as a provoked error signal it can be assumed that thereal error signal will occur again later, so that it can be detectedonce again later. In this embodiment it is not necessary to filter outas “only provoked” the error message/error signal 105 invoked by theprovoked error triggered by device 103. The provoked error does notappear in alarm signal 107.

Consequently, in the embodiment shown in FIG. 2 a signal on line 107 cthat changes repeatedly indicates faultless operation, whereas a signalremaining constant over an extended period of time indicates an alarmcondition, wherein this alarm condition can be traced back either to anerror in circuit 101 or an error in error control unit 104. It is notnecessary to distinguish between these two errors because the entirecircuit should be checked in any case.

In order to obtain to an alarm signal 107 that can be handled in a moresimpler way, signal 107 c (output of the EXOR gate 205), for example,can be applied to a signal monitoring circuit 501 (FIG. 5). The circuitis a form of watchdog circuit. It emits one type of state at output 502for as long as it receives a regularly changing signal at input 107 c.If the regular changes fail to occur, it changes to the other state,with this other state then being another alarm signal. In this way, theexistence or non-existence of an alarm/error can be determined by simplyobserving the state of signal 502. The time constants of the watchdogcircuit are preferably designed in such a way that in-time state changesare interpreted as “good” and non-occurring and/or early and/or latestate changes are interpreted as “bad”.

The pulse-forming circuit 301 to 304 in FIG. 3 works as follows: At thebeginning of the signal checking procedure, the circuit is reset in theinitialization step by means of the reset signal RES 401. Flip-flop 301and gate 303 are used as edge detectors. Every change at input IN(leading and trailing edge) generates pulse 414 at output INP. Theinverted output QN of the flip-flop is set to the same state as theinput signal IN 105 by the reset signal RES 401. Due to the EXOR logicoperation output INP 207 has the value 0. When the input signal/errorsignal IN 105 changes its state, a leading edge results at output INP207, which clocks flip-flop 301. Flip-flop 301 is designed to act as afrequency divider and the inverted output QN changes its value. Thus,EXOR gate 303 once again has two equal input states, and its output INP207 returns to 0.

What is claimed is:
 1. A method for checking an error control unit in adigital circuit, wherein the error control unit generates an errorsignal, when it is operating properly, if the digital circuit is in astate indicating an error, said method comprising the steps of:invoking, within a gate time, a state indicating the error, checking,within said gate time, an error signal, and generating an alarm signalwhen the error signal does not appear or appears incorrectly within saidgate time.
 2. A device for evaluating an error control unit in acircuit, wherein the error control unit generates an error signal, whenit is operating properly, if the circuit is in or outputs a stateindicating an error, said device comprising: a device for inducing astate indicating an error, a device for checking an error signal after astate indicating the error was induced, and a device for generating analarm signal if the error signal does not appear or appears incorrectlyafter the state indicating the error was induced, wherein the checkingdevice checks the error signal within a gate time, within which thestate indicating the error is induced, and generates the alarm signal ifthe error signal does not appear or appears incorrectly within the gatetime.
 3. A device according to claim 2, further including means forgenerating a digital gate time signal, whose state indicates the gatetime.
 4. A device according to claim 3, wherein said inducing deviceincludes a plurality of D-flip-flops that do not all share a commonclock signal.
 5. A device according to claim 4, wherein said inducingdevice includes an initialization device which sets the outputs of theplurality of D-flip-flops in such a way at the beginning that they donot adopt a common value.
 6. A device according to claim 4, wherein saidplurality of D-flip-flops includes three D-flip-flops that areinterconnected in a ring, with a first being clocked according to thegate time signal and a second and a third according to the error signal.7. A device according to claim 6, wherein the initialization device setsthe first and second D-flip-flop to one logical state and the thirdD-flip-flop to the other logical state.
 8. A device according to claim7, further including a pulse-forming circuit that receives the errorsignal and outputs a pulse having a pulse width which is less than thepulse width of the clock signal gate time for the second and thirdD-flip-flops whenever an edge appears.
 9. A device according to claim 6,wherein the alarm signal is a signal that remains constant for at leasta predetermined period of time and is picked up at the output of atleast one D-flip-flop.
 10. A device according to claim 9, wherein thealarm signal is formed from the output signals of each of theD-flip-flops that are clocked according to the error signal.
 11. Adevice according to claim 9, further including a monitoring circuit thatreceives the alarm signal and outputs a second alarm signal when nostate change occurs within a period of time that is longer than thespecified period of time.
 12. A device according to claim 6, furtherincluding a fourth D-flip-flop that is clocked toward the end of thegate time and whose D input receives the output from the third flip-flopand whose output is EXOR-connected with the output of the secondD-flip-flop to form the alarm signal.
 13. A device according to claim 4,wherein the error signal is a signal whose state changes once when thestate indicating the error occurs, with the plurality of D-flip-flopsthat are clocked according to the error signal being clocked at everyedge of the error signal.
 14. A device according to claim 2, whereinsaid inducing device and checking device are digital circuits.